Project lays foundation for analyzing IT incident costs

By Theresa Hofer
Information Technology Division

Results were released recently from a ground-breaking study of
information technology (IT)-related incidents in academic computing
environments. The study, sponsored by the chief information officers
of the Committee on Institutional Cooperation (CIC), provides a
foundation for future research into the risks and costs associated
with these incidents.

According to Project Director Virginia Rezmierski, director of the
Office of Policy Development and Education, Information Technology
Division, system administrators knew that IT-related incidents were
occurring, but had no method for determining what the incidents were
costing their universities in time, materials and resources. "If you
are going to try to manage your risks," she says, "you need to
understand what's happening, how much it's costing and how often it's
happening. The CIC chief information officers were proactive in
examining their risks."

The Incident Cost Analysis and Modeling Project (ICAMP) was
designed to begin the process by developing a method for
understanding the factors that influence the occurrence and costs of
IT-related incidents in academic computing environments, and to
provide insight into the magnitude of loss to the universities from
30 particular incidents.

Project team members included U-M graduates Stephen Deering, Amy
Fazio and the late Scott Ziobro. With the cooperation of staff at the
12 CIC campuses (the Big Ten plus the University of Chicago), the
team gathered detailed information from 30 incidents submitted by IT
personnel at the universities. The incidents included hardware and
data theft, unauthorized access by computer hackers, power outages
and system crashes.

Investigators examined both direct and secondary costs of the
incidents, including unquantifiable costs such as lost work
opportunities, diminished reputation to the institution and the
potential for legal liability. The team then developed the foundation
for a model for analyzing the costs of IT-related incidents and
identified factors that increase both the likelihood of an incident
occurring and the cost of an incident once it has occurred.

The costs of the 30 incidents ranged from $30 to $150,000.
Rezmierski notes, "Some would say that these incidents really cost
nothing because the people working on them were already hired and
would get paid anyway. Others would argue that the incidents cost the
full amount because these employees should be doing other
things."

Kathy Kimball, university computer, network and information
security officer at Pennsylvania State University and a member of the
ICAMP advisory board, presented the results of the study to about 150
people attending the conference of the Forum on Incident Response
Teams on June 24. Attendees from North and South America, Europe and
Asia expressed great interest in the results. "In the security
community," Kimball said, "there's a hunger to get any data that
indicates what costs are."

Researcher Fazio warned, however, that the numbers without
frequency data can be misleading. "A $30 incident," she said, "could
occur 60 times a month or more. Without frequency data, we simply
cannot say how much these incidents are really costing
universities."

George Cubberly, assistant risk manager in the Office of Risk
Management and another member of the ICAMP advisory board, believes
that the next major step is a study that would examine frequency data
for certain types of incidents. "The numbers," he said, "may be
staggering."

Rezmierski agrees and is seeking funding for such a follow-up
project. "The security people believe strongly," she says, "that we
have shown even less than the tip of the iceberg."

Meanwhile, Fazio notes, universities or even departments within
universities that are tracking frequency data could plug their data
into the ICAMP model. "We purposely structured the model so it was as
accommodating as possible to all academic institutions."

Cubberly observes that the issues examined by the ICAMP study
should be of concern to all University faculty and staff. "Everybody
needs to be aware," he says, "that they all have some sensitive data,
and part of their responsibility is to protect that for the
University. Lack of security and backup costs dollars and
inconveniences faculty, staff and students."

For more information about ICAMP or to obtain a copy of the
report, contact Rezmierski at 647-4274 or ver@umich.edu. For
questions about hardware and data loss, insurance coverage and
disaster planning, contact Cubberly, 764-2200 or gpcubber@umich.edu.
To report suspected IT-related incidents, contact the IT User
Advocates at itua@umich.edu.